AAGATE: A NIST AI RMF-Aligned Governance Platform for Agentic AI

Written by:

• Ken Huang, CEO, DistributedApps.AI, CSA Research Fellow
• Kyriakos "Rock" Lambros, CEO, RockCyber
• Jerry Huang, Fellow at Kleiner Perkins
• Yasir Mehmood, Independent Researcher, Germany
• Hammad Atta, CEO, Qorvex Consulting & Roshan Consulting
• Joshua Beck, Application Security Architect, SAS Institute
• Vineeth Sai Narajala, Project Co-Lead OWASP AIVSS
• Muhammad Zeeshan Baig, Course Director, Wentworth Institute of Higher Education, Machine Learning Professional
• Muhammad Aziz Ul Haq, Research Fellow, Skylink Antenna
• Nadeem Shahzad, Director, Roshan Consulting & Robotic Process Automation
• Bhavya Gupta, Information Security Officer, Stanford University

 

Introduction: The Hidden Governance Gap in Agentic AI

As autonomous, reasoning-driven agents begin executing code, invoking APIs, and spawning sub-agents at machine speed, enterprises face a new governance challenge.

Traditional AppSec and compliance tools were designed for deterministic software not self-directed reasoning systems capable of improvisation.

The result is a widening gap between AI risk frameworks (like NIST’s AI RMF) and the runtime control mechanisms required to enforce them. Without verifiable oversight, a single hallucinated command can expose customer data, exhaust resources, or rewrite infrastructure.

AAGATE (Agentic AI Governance Assurance & Trust Engine) closes this gap. It translates the high-level functions of the NIST AI RMF Govern, Map, Measure, Manage into a living, Kubernetes-native architecture aligned with CSA frameworks such as MAESTRO, AIVSS, and the Agentic AI Red Teaming Guide.

 

The Expanding Risk Surface: Governance Challenges in Agentic AI

Unlike static LLM applications, agentic systems introduce continuous, improvisational risk. They can reason, chain tools, and act without human review, creating dynamic vulnerabilities:

• Logic-Layer Prompt Control Injection (LPCI): hidden payloads in tools or memory that bypass validation.
• Cognitive Degradation (QSAF): reasoning instability from recursive or overloaded sessions.
• Identity Misuse (DIRF): unauthorized replication or monetization of digital likeness.
• Supply-Chain Blindness: unverified models and unsigned images propagating across environments.

Each risk propagates across perception, planning, and tool-use subsystems, making manual oversight impossible. AAGATE’s mission is to make governance continuous, automated, and explainable as dynamic as the agents it protects.

 

The AAGATE Architecture: A Layered Control Plane

AAGATE provides a runtime governance overlay, independent of model internals, through eight core components:

1. Governing-Orchestrator Agent (GOA) – the system brain. Receives telemetry, classifies events via SEI SSVC logic, and enforces “millisecond kill-switch” responses.
2. ComplianceAgent – continuously evaluates security signals using OWASP AIVSS scoring and policy logic (OPA + Rego).
3. Janus Shadow-Monitor Agent (SMA) – acts as an internal red-team, re-evaluating agent actions before execution.
4. Tool-Gateway Chokepoint – funnels every external API, DB, or file interaction through one auditable gate.
5. Agent Name Service (ANS) – registers and authenticates all agents through verifiable credentials (DIDs + SPIFFE).
6. Istio mTLS + Cilium eBPF Mesh – enforces zero-trust communication and observability.
7. Qdrant + UEBA + Kafka Pipeline – provides behavioral analytics and continuous risk telemetry.
8. ETHOS Ledger Hooks – optional blockchain layer for decentralized accountability and tamper-proof compliance proofs.

Figure 1: Kubernetes-native architecture with service mesh, observability, and governance orchestration (AAGATE Control Plane).

Together, these modules form a self-governing mesh that operationalizes the NIST RMF functions across runtime, policy, and identity domains.

 

The Four AAGATE Governance Functions

Each NIST AI RMF function is instantiated through CSA-aligned frameworks:

Figure 2: AAGATE operationalizes the four core functions of the NIST AI RMF (Govern, Map, Measure, Manage) with specific security frameworks and implementations.

RMF Function	Operational Mechanism	Supporting Framework
Govern	Signed supply chain (SLSA L3), OPA policy ingestion, mTLS fabric, ETHOS ledger for verifiable logs	CSA Zero-Trust Controls + DIRF
Map	MAESTRO-aligned threat mapping via Tool-Gateway and ANS	CSA MAESTRO
Measure	Continuous telemetry scored by OWASP AIVSS and prioritized via SEI SSVC	OWASP AIVSS + SSVC
Manage	Janus SMA + GOA enable proactive containment and automated red-teaming	CSA Agentic AI Red Teaming Guide

This unified stack moves governance from theory to engineering reality.

Figure 3: MAESTRO Threat Mapping & AAGATE Mitigations.
 

Governance Controls in Practice

AAGATE enforces seven continuous control loops, mirroring runtime observability:

1. Supply-Chain Integrity Enforcement – signed OCI images, SBOM tracking, and Cosign verification.
2. Identity & Provenance Validation – agent DIDs mapped to verifiable credentials through ANS.
3. Policy Translation & Enforcement – natural-language AI Act clauses compiled into Rego for machine-readable execution.
4. Behavioral Telemetry Scoring – AIVSS metrics and UEBA behavior fingerprints feed risk models.
5. Autonomous Red-Team Loop – Janus SMA simulates adversarial scenarios pre-execution.
6. Millisecond Containment Switch – instant isolation via Istio AuthorizationPolicy.
7. Ledger Audit Trail – on-chain proofs of compliance and lifecycle events.

These mechanisms together deliver continuous assurance, verifiable ethics, and explainable accountability.

 

Real-World Applications

AAGATE’s modular architecture applies across critical domains:

• Finance: enforce least-privilege OAuth via the Tool-Gateway, preventing unauthorized trades.
• Healthcare: ensure audit-ready transparency under EU AI Act Article 12.
• Cloud DevOps: detect rogue autonomous scripts via UEBA behavior profiling.
• Government AI Systems: deploy zero-knowledge proofs of policy compliance.
• Agent Platforms: integrate QSAF monitors and LPCI filters for cognitive and logic-layer resilience.

Check out the full technical paper, architecture diagrams, and control mappings.